Assorted todo lists carried over from #3179845: [meta] Priorities for 2020-12-02 bugfix release of Drupal 7.76 / 7.77 and #3192080: [meta] Priorities for 2021-04-07 release of Drupal 7.
These are not necessarily in priority order.
Almost all of these fixes are viewed by some people to be important and may be included in their drush make or composer.json files.
Done
todo
- #3102159: Add tests for Archive_Tar multiple security fixes for Archive_Tar recently and there's no test coverage in D7
- #229825: backport "$_COOKIE['has_js'] must die" patch to 7.x Fixed in D8/9. Recent testing confirms works.
- #106721: Optimize node access query building Important performance improvement. Used in acquia commons distribution with >600 installs.
Issues raised by @MustangGB:
- #2884171: The drupal_render() function could use a bit more protection May need to add logging for developers.
- #2994212: field_sql_storage_field_storage_load does use an unnecessary sort in the DB leading to a filesort Another field storage issue, marked as major with patch by Fabianx that still applies.
Issues which have had recent activity, and are RTBC. Possibly transfer to next maintenance release:
The issues above have not been added into the following sorting.
Simple Fixes: These may only take a few minutes each to review and commit.
- #674354: CSS selectors get overridden by narrower selector at style.css when using Seven Simple fix, moves inline with D8 having more specific selectors.
- #1944246: taxonomy_allowed_values should use entity_label Helpful for taxonomy translation. Fixed in D8. Two lines!
- #1973278: Error in image_styles of image.module on database update Simple fix, does it really need a test?
- #2039709: Forward slash in filter aliases in url alias overview doesn't work Simple fix. Major issue. Fixed in D8. Backport to D7. Re-queued tests
- #2768921: Backport server configuration code from SA-CORE-2016-003 to Drupal 7 patch that is a combined backport of SA-CORE-2016-003 and #2783079: DRUPAL-SA-CORE-2016-003 Completely broke IIS drupal deployments
- #2863786: D7 ThemeRegistry array_key_exists() micro-optimization Simple fix, micro-optimization. Fixed in D8. Fabianx likes this, see comment#18.
- #2959727: drupal_add_html_head_link() needs to allow multiple hreflang tags to point to one URL. Simple fix required for sites using translations.
- #3006123: D7 drupal_array_get_nested_value() array_key_exists() micro-optimization Simple fix, micro-optimization.
- #3015223: Never use aggregation in maintenance mode. Simple fix, Fabianx marked as RTBC, patch re-rolled. Draft change record exists https://www.drupal.org/node/3018664
- #3023545: [D7] Disable brotli compression of pre-compressed CSS and JS Adds a few lines in .htaccess prevents double compression. Fixed in D8.
- #3181653: Add aria-atomic to autocomplete Simple fix required for some accessibility checkers
- #3200198: [D7] password reset form prevent revealing email or username in use Simple fix, backport of issue fixed in D9 with tags "Security & Privacy improvements"
- #920840: Broken images displayed and PHP notices when file/image field values are missing
- #2218647: [D7] Undefined property: stdClass::$nid in node_tokens()
Important Fixes:
- #460408: Cannot administer menu item/link if it points to an unpublished node Important fix, tagged as major. Patch by David Rothstein RTBC. Fixed in D8.
- #980144: Issues with "required, multiple" fields in forms Important fix. Fixed in D8
- #1007746: Reordering fails with more than 100 items in a menu Important fix. Patch has tests and is fixed in D8/D9.
- #1705618: Double click prevention on form submission Important to prevent double submission of forms, creating duplicate nodes, etc. Must clear browser cache to take effect.
- #1899126: Add wrappers to fix permission checks Required for POSIX filesystem. Fixed in D8? @orlitzky: "I'm just going to keep updating the patch for drupal-7.x for the rest of my life.""I'll keep posting patches until I don't have to any more."
- #1951408: Core Update manager doesn't correctly handle "status" UPDATE_NOT_CHECKED Includes D7 core patch in comment #16. Required for update_advanced module that is used by 2,700 sites and "Triaged D8 major" but no action for D8/D9.
- #1978176: Build menu_tree without loading so many objects @joseph.olstad: "... the performance improvement is huge! .. After several years I see no credible reports of an issue with this patch"
- #2418755: Path alias filter by system path includes 6 year old patch for D7 in comment #1 that has been RTBC and without the patch "it's very hard to find alias which contains few slashes in path."
- #2431283: Cron CSRF vulnerability Security hardening fix. Fixed in D8. Fabianx comment in #31, just before last patch.
- #2522002: Do not strip www. from cookie domain by default because that leaks session cookies to subdomains Simple patch, security improvement. Sessions table may need to be emptied. Backport. Fixed in D8. Change record for D8 https://www.drupal.org/node/2523826
- #2637680: Submit buttons for GET forms in search/views are not W3C valid due to empty 'name' attribute Fixed in D8. Has tests that fail as expected.
- #2752783: [D7] file_unmanaged_move() should issue rename() where possible instead of copy() & unlink() Important fix. Mcdruid urging commit. @joseph.olstad: "D8 has this already. It is a good idea."
- #2789723: [D7 backport] drupal_mkdir does not set permissions to directories it created recursively Important fix, includes tests. Backport of D8 fix.
- #2802159: [D7] SQL layer: $match_operator is vulnerable to injection attack Important fix. Backport of D8 fix.
- #2877131: [D7] CSS aggregation strips some essential whitespace within strings Patch in comment #15 still applies, re-roll of #8 which was RTBC, has test coverage, passes tests, fixed in D8.
- #2970929: [D7] Support X-Forwarded-* HTTP headers alternates Important backport for reverse proxies and load balance.
- #3008170: [D7] Deleting node type leaves orphan nodes Important, has tests. Backport from D8
- #3210388: Potential dataloss when opting in to "Avoid field storage write when field content did not change" and changing the bundle type of an existing entity
Unsorted Fixes:
- #111702: Set fixed "from:" and add "Reply-to:" to comply with DMARC
- #965078: HTTP request checking is unreliable and should be removed in favor of watchdog() calls Needs work and needs CR
- #1328696: Problem with _drupal_wrap_mail_line and attachment files Attachment of docx file or files with long names results in email that is not correct. Fixed in D8, backport for D7 has patch.
- #1835754: Add last 'changed' property to user entity Nice to have. Adds last modified to user table. Has been added to D8/9
- #2128055: Files should be uploaded to per year/month directories by default
- #3002101: Ajax upload with validation throws PHP notice on PHP 7
- #3017522: D7 - Verify peer on HTTPS if cURL available (but be careful of built-in cert bundles in the codebase) Verifies SSL certificates in OpenSSL connections (Critical)
- #3176634: [D7] node_access filters out accessible nodes when node is left joined Issue identified as major. Fixed in D8 with D9 fix pending. Backport to D7 patch from 2016-March-9